Data Privacy, GDPR and Facebook | What you need to know

The Facebook Data Scandal, GDPR & the Financial Industry’s Privacy Measures

Recently, the New York Times alleged that Cambridge Analytica collected consumer information deceitfully by breaking Facebook’s rules.  A researcher at Cambridge University, Aleksandr Kogan, developed an app for the company that required users to sign in using their Facebook accounts.  In 2014, Facebook invited users to find out their personality type via a quiz developed by Cambridge University researcher Kogan called “This is Your Digital Life.”  About 270,000 users’ data was collected, but the app also collected some public data from users’ friends. That data included education, location, the groups and pages they like, their relationship status, and where they worked.  Based on that data, a psychological profile of that user was then created. Whistleblower Christopher Wylie, says the data of about 50 million people were harvested for Cambridge Analytica before the rules on user consent were tightened up (Facebook’s Zuckerberg speaks out over Cambridge Analytica ‘breach’, 2018).  Kogan was allowed to collect all this information for academic purposes; however, he wasn’t permitted to pass the data along to a third party. As a result, Facebook has now suspended Cambridge Analytica and Kogan from the platform (What Did Cambridge Analytica Do During The 2016 Election?, 2018).

The evolution of big user data collection has increased significantly in tandem with advances in technology.  “With a smartphone now in nearly every pocket, a computer in nearly every household, and an ever-increasing number of Internet-connected devices in the marketplace, the amount of consumer data flowing throughout the economy continues to increase rapidly.  The analysis of this data is often valuable to companies and consumers, as it can guide the development of new products and services, predict the preferences of individuals, help tailor services and opportunities, and guide individualized marketing. At the same time, advocates, academic, and others have raised concerns about whether certain uses of big data analytics may harm consumers” (Federal Trade Commission, 2016).  Any company in contact with big data should have an understanding of the various laws that may apply to big data practices.

“We’ve worried for a number of years that people in many countries were giving up data probably without knowing fully what they were doing and that these detailed profiles that were being built of them, that one day something would occur and people would be incredibly offended by what had been done without them being aware of it. Unfortunately, that prediction has come true more than once.”  – Tim Cook, CEO, Apple Inc.

Privacy data Regulations

The Federal Trade Commission (FTC) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy.  Its primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace.  The FTC also has authority to enforce a variety of sector-specific laws, including the Truth in Lending Act, the CAN-SPAM Act. The Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act.  These are all regulations designed to protect consumer information.

Responsible Sharing & Usage of user data

Companies engaging in big data analytics should consider whether they are violating any material promises to consumers.  It makes no difference whether the promises were to refrain from sharing data with third parties, to provide consumers with choices about sharing, or to safeguard consumers’ personal information if the company failed to disclose material information to the customer.  Companies that obtain big data on consumers have a responsibility to secure and protect consumers’ data. Companies must not sell their big data analytics to customers if they know or have reason to believe that those customers will use the products for fraudulent, discriminatory purposes or not for its intended purpose. The Facebook investigation involving the Cambridge Analytica focuses on the fact that users accepted the terms of the personality test and authorized the app to analyze their personal data, but did the users authorize the app to collect data about their friends. It isn’t currently clear on whether Facebook violated the consent decree, which says that Facebook is not liable when users consent to give their friends’ information to Facebook. The FTC is investigating to discover any other illegal activities. Many new lawsuits allege that Facebook engaged in deceptive practices because it represented to the public that strict limitations and protocols on data gathering were in place, but that Facebook knowingly allowed app developers to accumulate and mine data in excess of these policies.

Financial regulatory compliance & user data

Before the Right to Financial Privacy Act of 1978 was enacted, the US government did not have to tell consumers if or when they were accessing their records, and consumers had no right to prevent them from doing this. Until the Gramm-Leach-Bliley Act, which established that financial institutions must provide clients a privacy notice that explains what information the company gathers, where the information is shared, and how the company safeguards that information. The privacy notice must also explain the customers’ opportunity to opt out, meaning the client can say no to allowing their information to be shared with nonaffiliated third parties. Unlike how the financial services industry must stay in compliance with the Gramm-Leach-Bliley Act, it is unclear whether Facebook is subject to similar data privacy regulations, which would make them responsible for the actions of Cambridge Analytica. In the financial services industry, banks are held accountable for the actions of third-party vendors and must disclose to customers if any personal non-public data will be shared with affiliates or third parties. In 2017, we learned of the major data breach from Equifax, when hackers exposed over a hundred million American consumers sensitive personal information. But so far, at a Federal level, there hasn’t been any new laws that hold companies responsible for mishandled data or data breaches.  Even though Facebook is not regulated by these acts, due to the fact that they didn’t follow up or monitor how Cambridge Analytica used harvested data, Facebook Users information was used to design ads to target and influence them without their knowledge or consent.

The European Union’s General Data Protection Regulation (GDPR) is effective May 25, 2018, and forces any business entity in Europe, as well as, any country doing business with customers residing in Europe, to comply by the rules outlined in GDPR.  The aim is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.  The regulation contains several major new data-subject consumer rights, including:

• Breach notification will become mandatory within 72 hours
• Customers will have the right to obtain (from the data collector) confirmation as to whether or not personal data concerning them are being processed, where and for what purpose.
• Customers are entitled to a copy of the subject personal data, free of charge.
• Right to be forgotten, which allows the data subject to have the data collector erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

GDPR offers consumers transparency to discover what personal information exists and how it is being used.  The consumer is empowered to take control of their personal data and prevent it from being used unwillingly.

The question is, does the United States need to implement similar regulation and is Facebook the catalyst for such regulation?  Assuming that companies will do the right thing by the consumers, isn’t enough assurance anymore.  Companies rely more and more on consumer data, and it’s a wealth of knowledge that can be sold for a high value to other companies.

The financial services industry should use this case as a learning opportunity to take a long hard look at their own privacy policies and practices. A bank should be aware of what consumer data they have and how such information is stored. They should actively review vendors, partners, and third-parties to determine what access level those entities have to consumer data, and more specifically, what data they have access to, and for how long. Tracking and monitoring the hard copy and digital movement of consumer data within an institution is key to safeguarding the information. Banks must also determine whether the customer is informed on how their data will be used, whom it may be shared with,  and for what purpose. Customers should also have the ability to opt out or limit their sharing at any time. As US-based regulatory agencies work towards data protection similar to GDPR measures, at both federal and state levels, financial services organization in the US should continue to keep a close eye on such developments and regulatory changes to ensure compliance within their organization.

—

Discover how you can stay up to date on all the latest regulatory news and agency updates with Compliance.ai. Streamline your regulatory intelligence with access to all state, federal and mainstream regulatory news and updates with Compliance.ai’s Pro Edition. Get real-time updates on changes and developments for free for 30-days. Start your trial now!

—

—

Other related blogs:

• The Bank Secrecy Act & Cryptocurrency Regulation in the US
• State of Affairs: Cybersecurity & Privacy